On my Ubuntu 22.04 system, here's how I did it. Both the un-tarred Nginx folder and the ModSecurity folders are in the root of my /opt directory.
1.) Download the latest Nginx
cd /opt && sudo wget https://nginx.org/download/nginx-1.25.0.tar.gz
2.) sudo tar -xvzf nginx-1.25.0.tar.gz
3.) cd /opt && sudo git clone https://github.com/SpiderLabs/ModSecurity
4.) cd ModSecurity && sudo git submodule init && sudo git submodule update
5.) sudo ./build.sh
6.) sudo ./configure
7.) sudo make && sudo make install
8.) cd /opt && sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx
9.) cd ./nginx-1.25.0
sudo ./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --modules-path=/usr/lib/nginx/modules --with-compat --with-debug --add-dynamic-module=/opt/ModSecurity-nginx --user=www-data --group=www-data --with-file-aio --with-http_realip_module --with-http_v2_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-pcre --with-http_gunzip_module --with-http_gzip_static_module
10.) sudo -s
make
make modules
make install
make clean
exit
11.) sudo nginx -v
--------------------
Configure ModSecurity
Test ModSecurity is NOT working YET by performing a simple local file inclusion attack by running the following command in your favorite browser:
http://mywebsite.com/?exec=/bin/bash
12.) tree /usr/lib/nginx/modules
13.) sudo rm -rf /usr/share/modsecurity-crs
14.) Download the OWASP rules
cd /opt && sudo git clone https://github.com/coreruleset/coreruleset /opt/modsecurity-crs
15.) sudo mv /opt/modsecurity-crs/crs-setup.conf.example /opt/modsecurity-crs/crs-setup.conf
16.) Rename the default request exclusion rule file:
sudo mv /opt/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /opt/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
17.) sudo mv /opt/modsecurity-crs /usr/local/
18.) Start by creating a ModSecurity directory in the /etc/nginx/ directory:
sudo mkdir -p /etc/nginx/modsec
19.) Copy over the unicode mapping file and the ModSecurity configuration file from your cloned ModSecurity GitHub repository:
sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec/
sudo mv /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
20.) Change the value for SecRuleEngine to On:
sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /etc/nginx/modsec/modsecurity.conf
21.) sudo vi /etc/nginx/modsec/main.conf
Include /etc/nginx/modsec/modsecurity.conf
Include /usr/local/modsecurity-crs/crs-setup.conf
Include /usr/local/modsecurity-crs/rules/*.conf
22.) Open your virtual host configuration file and insert the following lines in your server block:
sudo vi /etc/nginx/conf.d/mywebsite.com.conf
At the bottom, but before the closing } bracket:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
23.) sudo nginx -t
24.) sudo systemctl restart nginx
Test ModSecurity is NOW working by performing a simple local file inclusion attack by running the following command in your favorite web browser:
mywebsite.com/?exec=/bin/bash
mywebsite.com?doc=/bin/ls
sudo tail /var/log/modsec_audit.log
sudo tail /var/log/nginx/mywebsite.com.error.log